Following the 'kill chain' to fend off cyberattacks

Defending against an ever-increasing stream of cyberattacks can be a game of blind man’s bluff.

Network defenders have to try to be right 100 percent of the time, and be prepared for all types of attacks, but attackers only need to get lucky once. As a result, network defenders wind up responding after the fact.

Lockheed Martin’s cybersecurity team viewed this as a defeatist attitude, said Anne Mullins, vice president and cyber executive in the company's Information Systems and Global Solutions group. The team approached the problem differently, by thinking about what an adversary needed to be successful. The result is a cybersecurity methodology that analyzes persistent intrusions for patterns and trends and then uses this data to stop attacks in their tracks.

As the nation’s largest defense contractor with a major network presence, the company has a lot of experience being in hackers’ crosshairs. But the benefits of using that experience extend beyond just protecting the company. “It’s a challenge that affects the entire country and the entire world,” Mullins said.

The team took one particular intrusion and deconstructed it, coming up with seven sequential steps attackers needed to successfully get into an organization’s network. It is this chain of events that the company refers to as its “kill chain.”

Lockheed Martin’s approach, part of how it handles its in-house and customer support security, gathers intelligence on each of those steps for every intrusion it analyzes. This data can then be applied when an intrusion is detected, allowing cybersecurity personnel to better understand how adversaries operate. “The more you know about how they operate, the more you can anticipate their moves,” Mullins said.

Because these advanced adversaries return again and again to find what they are looking for, Lockheed Martin uses this against them. “The more persistent they are, the more we learn about them, the more we see them make mistakes or get lazy, because this is a people problem — not a ones and zeros problem,” Mullins said.

The company has gathered large amounts of data about attackers’ patterns and their methods across the entire chain. “If you can break that chain in one step, then you are successful. But if you can break that chain in multiple steps, you are resilient,” Mullins said.

Resiliency means that if attackers change one or two attack methods and an organization can counter them on three or four other areas on the chain, the attacks are still not successful. This forces attackers to reinvent their entire approach for the next attack to succeed, Mullins said. “We may not anticipate one innovation that they have, but we’ve built resiliency into our defenses that allows us to be successful,” she said.

The company’s kill chain approach is also analogous to defense in depth. Mullins said the further an attacker can get into the chain before being stopped, the greater the risk to an organization. The company maps its defense in depth to the kill chain to address every aspect so that the network can defend itself even if attackers alter parts of their approach, she said.

As organizations begin to deconstruct attacks and collect data on them, familiar patterns of behavior become evident, Mullins said. By clustering these similar behaviors, organizations can determine whether a series of persistent attacks are all part of a single “campaign” to attack their networks. Conducting forward- and backward-looking forensics on attacks allows Lockheed Martin’s cybersecurity staff to determine whether they are coming from the same adversary.

Mullins said the company has been tracking between 30 and 40 different cyber campaigns for nearly seven years along with new attacks. “By analyzing at the campaign level, we gain a tremendous amount of insight into how the behavior evolves, into how the adversaries operate, into what their sweet spot is,” she said.

The kill chain process is effective enough for Lockheed Martin IT personnel to analyze the “supply chain” across adversary campaigns. For example, Mullins said, one campaign might focus on mapping infrastructure, another on a particular technology area. There are some campaigns that share the same network exploits, which indicates that whoever is building these exploits is selling them to multiple campaigns, she said.

“All that insight comes into play because we have the intelligence-driven models and methods that help us think of this problem differently and give us that advantage over a very tenacious adversary,” she said.